Академический Документы
Профессиональный Документы
Культура Документы
Compliance
Management
Contributing editor
Daniel Lucien Bühr
Argentina7 Nigeria47
Pedro Serrano Espelta and Gustavo Morales Oliver Babajide Ogundipe, Olatunde Ogundipe and Olajumoke Omotade
Marval, O’Farrell & Mairal Sofunde Osakwe Ogundipe & Belgore
Brazil12 Russia51
Bruno De Luca Drago and Fabianna Vieira Barbosa Morselli Alexey Borodak and Sergey Avakyan
Demarest Advogados Norton Rose Fulbright (Central Europe) LLP
China15 Spain56
Gary Gao Helena Prieto González, Beatriz Bustamante Zorrilla,
Zhong Lun Marta Sánchez Martín and Alejandro Ayala González
Garrigues
Germany18
Barnim von den Steinen Switzerland61
Rotthege | Wassermann Daniel Lucien Bühr and Marc Henzelin
Lalive
Greece23
Vicky Athanassoglou Turkey65
VAP Law Offices Ümit Hergüner and Zeynep Ahu Sazcı Uzun
Hergüner Bilgen Özeke Attorney Partnership
India29
Junia Sebastian, Arindam Basu and Richika LRS United Kingdom 70
ALMT Legal Dan Lavender, Matt McCahearty and Malcolm Walton
Macfarlanes LLP
Italy35
Andrea Fedi and Marco Penna United States 75
Legance – Avvocati Associati Keith M Korenchuk
Arnold & Porter
Japan40
Hiroyuki Nezu, Masataka Hayakawa, Kumpei Ohashi, Do DOJ policy and the ISO compliance standard overlap? 79
Teruhisa Toyama and Tadashi Yuzawa Daniel Lucien Bühr
Atsumi & Sakai Lalive
Preface
Risk & Compliance Management 2018
Second edition
Throughout this edition, and following the unique Getting the Deal
Through format, the same key questions are answered by leading
practitioners in each of the jurisdictions featured. Our coverage this
year includes new chapters on China, Greece, India, Nigeria and
Turkey and an article, written by the editor, on the overlap between
the US Department of Justice's assessment of corporate compliance
programmes and the International Organization for Standardization's
guidance for compliance management systems.
London
May 2018
www.gettingthedealthrough.com 3
© Law Business Research 2018
ALMT Legal INDIA
India
Junia Sebastian, Arindam Basu and Richika LRS
ALMT Legal
1 What legal role does corporate risk and compliance 2 Which laws and regulations specifically address corporate
management play in your jurisdiction? risk and compliance management?
Although, at present, India as a country is still awaiting comprehensive Keeping in mind the plethora of laws with regard to labour, financial
legal guidelines with respect to corporate risk and compliance manage- and corporate laws in India, which a company is required to be com-
ment, in recent times, compliance with labour, industrial, financial and pliant with, below are certain laws and regulations that we believe are
corporate laws has gathered enormous momentum within the corpo- required to be complied with on the highest priority with respect to
rate sector. each sector.
www.gettingthedealthrough.com 29
© Law Business Research 2018
INDIA ALMT Legal
necessarily encompass the entire value chain of stakeholders, namely, company. Further, the Companies Act 2013 has made the requirement
shareholders, management, employees, bankers, customers, vendors of compliance very explicit by stipulating a mandatory requirement of
and regulators. positive affirmation from the directors as part of the directors’ respon-
Thus, all persons, organisations and undertakings are targeted at sibility statement under section 134, stating that the directors have
varying degrees by the rules of risk and compliance management. devised a proper system to ensure compliance with the applicable laws
and that such systems are operating effectively.
4 Identify the principal regulatory and enforcement bodies It is to be noted that section 205 also requires a company secretary
with responsibility for corporate compliance. What are their to provide a report to the board about compliance with the provisions
main powers? of the said act, the rules made thereunder and other laws applicable to
The Indian legal system recognises sector-specific regulatory and the company.
enforcement agencies and bodies that are responsible for corporate The most significant regulation in this context is Regulation 27(2)
compliance in a particular sector. The government of India has enacted of the SEBI Listing Obligation and Disclosure Requirements (LODR)
various acts, and inter alia created various statutory bodies to regulate Regulations 2015, which defined significant tighter personal responsi-
and implement the provisions specified therein. The following are a bility of top management for the accuracy of reported corporate gov-
few examples of the principal regulatory and enforcement bodies in ernance and inter alia stipulates the preparation of a compliance report
India with responsibility for corporate compliance: of all laws applicable to a company and the review of the same by the
• The Registrar of Companies (ROC) is the designated authority that board of directors periodically, as well as to take steps by the company
deals with the administration of the Companies Act 2013, and falls to rectify instances of non-compliance and to send reports on compli-
under the ambit of the Ministry of Corporate Affairs. It is manda- ance to the stock exchanges quarterly. The stock exchanges have been
tory for companies incorporated under the Companies Act 2013 directed by SEBI to set up a separate monitoring cell with identified
to file various forms, returns and documents with the ROC with personnel to monitor compliance with the provisions of the revised
respect to their day-to-day corporate compliance and activities. Regulation 27(2) of SEBI (LODR) 2015 on corporate governance and to
• The Reserve Bank of India (RBI) is the central bank of the country submit a consolidated compliance report to SEBI within 15 days from
and the key authority that lays down the compliance functions for the end of each quarter.
banks throughout India. The RBI, via its notification RBI/2006- As per LODR, read with section 134(5)(f ) of the Companies Act
2007/335 dated 20 April 2007, has laid down certain mandatory 2013, the relevant provisions mandate the present corporate bodies to
compliance functions including but not limited to strict obser- incorporate and implement a legal compliance management system:
vance of all statutory provisions contained in various legislations • Regulation 4(1) of LODR requires that the listed entity shall abide
such as Banking Regulation Act 1949, Reserve Bank of India Act by all the provisions of the applicable laws and other guidelines;
1934, Foreign Exchange Management Act 1999, Prevention of • Regulation 4(2)(f ) of LODR directs that the board of directors of
Money Laundering Act 2002, etc, as well as ensuring observance of the listed entity shall ensure that a system for compliance with the
other regulatory guidelines issued from time to time such as stand- law and relevant standards are in place; and
ards and codes prescribed by The Banking Codes and Standards • Regulation 17(3) of LODR provides that the board of directors
Board of India, Indian Banks Association, Foreign Exchange shall periodically review compliance reports pertaining to all
Dealers Association of India, Fixed Income Money Markets and laws applicable to the listed entity, prepared by the listed entity,
Derivatives Association, etc, and also each bank’s internal policies as well as steps taken by the listed entity to rectify instances of
and fair practices code. The RBI also sets out the rules and regula- non-compliance.
tions for exchange control transactions in India, eg, foreign invest-
ment and outbound investment related regulations. There are a number of other acts and regulations besides the SEBI
• The Securities and Exchange Board of India (SEBI) promotes and guidelines such as the Information Technology Act 2000, Companies
regulates the securities market in India. In order to protect the Act 2013, etc, that mandate the corporate bodies both in public and
interests of investors, SEBI has laid down various compliances private sectors to maintain and conduct a periodic review of the regu-
required to be followed by listed entities. In addition to this, SEBI latory functions and processes of the organisations to ensure that the
has directed the stock exchanges to implement various measures company’s goal, structure and ongoing operations are consistent with
to ensure corporate compliances including inter alia setting up of the latest developments in business and corporate laws and regula-
a separate monitoring cell to monitor compliances with the provi- tions. This then lowers the compliance risk profile, reduces fines, reas-
sions of corporate governance and listing of public issues. signs headcounts, enables a better and higher use of the limited law
• The Competition Commission of India was established under the department’s resources, saves measurable costs and improves effec-
Competition Act 2002 to eliminate practices having adverse effect tiveness and ensures due diligence.
on competition, to promote and sustain competition, and to pro-
tect interests of consumers and ensure freedom of trade by other 7 Give details of the main standards and guidelines regarding
participants. risk and compliance management processes.
• The prime objective of the Enforcement Directorate is the enforce- There are no specific standards or guidelines regarding risk and
ment of two key acts of the government of India, namely, the compliance management processes in India. However, the same has
Foreign Exchange Management Act 1999 and the Prevention of been laid down in various forms of law and regulation. For exam-
Money Laundering Act 2002. The officers of the Directorate per- ple, the Information Technology (Reasonable Security Practices and
form an adjudication function so as to impose a penalty on persons Procedures and Sensitive Personal Data or Information) Rules 2011
for the contravention of the said acts. state that companies must have ‘reasonable security practices and pro-
cedures’ and that companies are deemed in compliance if they have a
5 Are ‘risk management’ and ‘compliance management’ documented security programme with managerial, technical, organi-
defined by laws and regulations? sational and physical controls. ISO 27001 is provided as a reference
The Indian laws have been designed to implement risk and compliance standard.
management. While there is no specific law or regulation in India that The basic guidelines for risk and compliance management pro-
defines ‘risk management’ and ‘compliance management’, the same cesses are:
has been widely recognised under various statutes in the manner that • reporting: the reports from management to the board should, in
has been described in earlier questions. relation to the areas covered by them, provide a balanced assess-
ment of the significant risks and the effectiveness of the system of
6 Are risk and compliance management processes set out in internal control in managing the risks. Any significant control fail-
laws and regulations? ings or weaknesses identified should be discussed in the reports,
including the impact that they have had, or may have, on the com-
Yes. As stated above, Indian laws set out various provisions for risk
pany and the actions being taken to rectify them; and
and compliance management. For example, the Companies Act 2013,
• roles and responsibilities: all employees have some responsibil-
requires a board of directors to develop and implement a risk manage-
ity for internal control as part of their accountability for achieving
ment policy and identify risks that may threaten the existence of the
objectives. The employees collectively should have the necessary • as per section 138 of said Act and Rule 13 of Companies (Accounts)
knowledge, skills, information and authority to establish, operate Rules 2014, the following companies are required to appoint an
and monitor the system of internal control. internal auditor in a board meeting:
• listed companies;
A strong risk and compliance management system framework can • a public company with a paid-up share capital of more than
mitigate risks if it can: 500 million rupees and a turnover of 2 billion rupees, loans
• identify the risk inherent in achieving goals and objectives; and borrowings of more than 1 billion rupees and outstanding
• establish risk appetite across the entire risk spectrum; deposits of more than 250 million rupees; and
• establish and communicate risk management frameworks; • a private company with a turnover of 2 billion rupees, loans
• build accurate and consistent risk assessment; and borrowings of more than 1 billion rupees;
• establish and implement measurement reporting standards and • the provisions on reporting fraud have been laid down under sec-
methodologies; tion 143(12) of the Act and provides that if the auditor of a com-
• build a risk profile; pany, in the course of the performance of their duties as auditor,
• establish the key control processes, practices and reporting has reason to believe that an offence involving fraud is being or
requirements; has been committed against the company by officers or employ-
• monitor the effectiveness of control; ees of the company, they shall report the matter to the central
• ensure all the exposures are adequately identified, measured and government;
managed in accordance with board-approved frameworks; • as per section 204(1) of said Act, read with Rule 9 of the Companies
• provide early warning signals; (Appointment and Remuneration of Managerial Personnel) Rules
• ensure risk management practices are adequate and appropriate 2014, the following companies are required to obtain a secretarial
for managing the risks; audit report:
• report areas of stress where crystallisation of risks is imminent; • every listed company;
• present remedial actions to reduce or mitigate such risks; • every public company having a paid-up share capital of 500
• report on sensitive and key risk indicators; million rupees or more; and
• communicate with relevant parties; • every public company having a turnover of 2.55 billion rupees
• review and challenge all aspects of the company’s risk profile; or more.
• advise on optimising and improving the company’s risk profile; and
• review and challenge risk management practices. Key compliances under the Foreign Exchange Management Act 1999:
• a foreign liabilities and assets return is required to be submitted
8 Are undertakings domiciled or operating in your jurisdiction mandatorily by all companies resident in India that have received
subject to risk and compliance governance obligations? foreign direct investment or made outward direct investment
Yes, as explained above, undertakings operating in India are subject to (ODI) in any of the previous year or years, including the current
risk and compliance governance obligations. As per section 134(5)(f ) year; in other words, who holds foreign assets or liabilities in their
under the Companies Act 2013, the directors have to state in the yearly financial statements as of 31 March; and
directors’ responsibility statement that they have devised proper sys- • an Indian party or resident individual that has made an ODI has to
tems to ensure compliance with the provisions of all applicable laws submit an annual performance report in Form ODI Part II to the
and that such systems were adequate and operating effectively. authorised dealer bank by 31 December every year in respect of
On failure to comply with the above requirement, the company each joint venture or wholly owned subsidiary outside India.
shall be punishable with fines ranging from 50,000 rupees to 2.5 mil-
lion rupees and every officer of the company who is in default shall be Key compliances under the Information Technology (Reasonable
punished with imprisonment for a term of up to three years or with a Security Practices and Procedures and Sensitive Personal Data or
fine ranging from 50,000 rupees to 500,000 rupees, or with both. Information) Rules 2011 (Data Protection Rules):
Further, corporate governance lays down the foundation of a • any person or entity that collects, receives, stores, processes or
properly structured board and strives for a healthy balance between handles personal or sensitive personal information must provide a
management and ownership that is capable of taking independent privacy policy on the company’s website that should be accessible
decisions for creating long-term trust between the company and exter- to the provider of information;
nal stakeholders of the company. It creates space for open dialogue by • the Data Protection Rules mandate companies to obtain express
incorporating transparency and fair play in strategic operations of the consent from the provider of sensitive personal information
corporate management. The significance of corporate governance lies regarding the purpose and use of the information. The consent can
in: be obtained through any electronic media;
• accountability of management to shareholders and other • the company should ensure that the data providers are made aware
stakeholders; of the purpose for which the sensitive personal information is col-
• transparency in basic operations of the company and integrity in lected, the intended recipients of the information, the agency col-
financial reports produced by the company; lecting the information, the agency retaining the information, etc.
• checks and balances as an integral part of good corporate Further, the data provider should be given an option not to provide
governance; the information or to revise or withdraw the information;
• adherence to the rules of company in law and spirit; • the companies must have ‘reasonable security practices and pro-
• code of responsibility for directors and employees of the company; cedures’. The companies are deemed in compliance if they have
and a documented security programme with managerial, technical,
• open dialogue between management and stakeholders of the organisational and physical controls. ISO 27001 is provided as a
company. reference standard; and
• all discrepancies or grievances reported to companies must be
9 What are the key risk and compliance management addressed in a timely manner. Companies must appoint a griev-
obligations of undertakings? ance officer and publish their name and contact details on the
company’s website. The grievance officer must redress all the data
Key compliances under the Companies Act 2013 are as follows:
subjects’ grievances within one month of receiving the grievance.
• consolidated financial statements are to be prepared where a com-
pany has subsidiaries and associates. Intermediary subsidiaries are
10 What are the risk and compliance management obligations
exempted provided shareholders of the parent have consented to
of members of governing bodies and senior management of
the same;
undertakings?
• uniform financial year has been implemented for all companies
as April to March. Specific approvals for deviation can be obtained As per the Companies Act 2013, the board of directors is required to
from the National Company Law Tribunal for certain classes of develop and implement a risk management policy and identify risks
companies; that may threaten the existence of the company. Further, the Act has
www.gettingthedealthrough.com 31
© Law Business Research 2018
INDIA ALMT Legal
made the requirement of compliance very explicit by stipulating a certain provisions of these rules or does not comply with the directions
mandatory requirement of positive affirmation from the directors as issued by the DGCA or does not observe the terms and conditions of
part of the directors’ responsibility statement under section 134, stat- the relevant document. This can be termed as administrative action.
ing that the directors have devised a proper system to ensure com- Further undertakings in India have been governed by various reg-
pliance with the applicable laws and that such systems are operating ulators such as the RBI, SEBI, Insurance Regulatory and Development
effectively. It is to be noted that section 205 also requires a company Authority (IRDA), Pension Fund Regulatory and Development
secretary to provide a report to the board about compliance with the Authority, National Bank of Agriculture and Rural Development,
provisions of the said Act, the rules made thereunder and other laws Telecom Regulatory Authority of India, etc.
applicable to the company. In addition to the penalties imposed by the RBI and SEBI as
Further, SEBI issued the revised clause 49 that would be applica- explained above, please note that section 105B of the IRDA stipulates
ble to all listed companies with effect from 1 October 2014. The revised the penalty for failure of an insurer to undertake life insurance business
clause 49 requires senior management to make disclosures to the and general insurance business in the rural or social sector. In such an
board relating to all material financial and commercial transactions event, an insurer shall be liable to a penalty of up to 500,000 rupees for
where they have personal interest that may have potential conflict with each such failure and shall be punishable with imprisonment for up to
the interest of the company at large. The term ‘senior management’ three years or with a fine for each such failure.
shall mean members of the core management team. This will include
all members of management one level below the executive directors 13 Do undertakings face criminal liability for risk and
including all functional heads. compliance management deficiencies?
Yes, undertakings face criminal liability for risk and compliance man-
11 Do undertakings face civil liability for risk and compliance agement deficiencies in India. The Companies Act 2013 prescribes the
management deficiencies? penalties for offences committed by companies. Under the Income Tax
Compliance in general means compliance with laws and regulations. Act 1961, the Customs Act 1962, the Central Sales Tax 1956 and the
These laws and regulations may stipulate penalties for non-compli- Central Excise Act 1944, various tax-related crimes such as tax eva-
ance of provisions. While there are no direct consequences for defi- sion, smuggling, customs duty evasion, value added tax evasion and
ciencies in risk and compliance management mechanisms, penalties tax fraud are prosecuted.
may be imposed if the same results in infringement of the said laws. Further, the Environment (Protection) Act 1986 is an act under
Below are a few examples of penalties imposed: which the central government is empowered to protect and improve
• As per section 88 of the Companies Act 2013, if a company fails the quality of the environment. A significant statutory rule framed
to maintain a register of members, the company and every officer under this Act is the Hazardous Waste (Management and Handling)
of the company in default shall be punishable with a fine ranging Rules 1989. It is to be noted that any violation of any rule framed under
from 50,000 rupees to 300,000 rupees. Further, as per section 92 the provisions of the said Act renders the offender liable for imprison-
of the Act, if a company fails to file a copy of annual return within ment for a term of up to five years with a fine, and if the contravention
the prescribed timeline, the company shall be punishable with a continues beyond a period of one year, the term of imprisonment may
fine ranging from 50,000 rupees to 500,000 rupees. be increased by another five years.
• Section 13 of the Foreign Exchange Management Act 1999 imposes
a penalty on every person who contravenes any provision of this 14 Do members of governing bodies and senior management
Act, or contravenes any rule, regulation, notification, direction or face civil liability for breach of risk and compliance
order issued in exercise of the powers under this Act, or contra- management obligations?
venes any condition subject to which an authorisation is issued by Yes, the members of governing bodies and senior management face
the Reserve Bank. The said penalty can equal up to three times the civil liability for breach of risk and compliance management obliga-
sum involved in such contravention where the amount is quantifi- tions. For example, section 35(1) of the Companies Act 2013 imposes
able, or up to 200,000 rupees where the amount is not quantifia- civil liability on every director, promoter or other senior management
ble. Where such contravention continues, further penalties can be personnel for any mis-statements in the prospectus.
levied of up to 5,000 rupees for each day after the first day during
which the contravention continues. 15 Do members of governing bodies and senior management
• Section 21 of the Maternity Benefit Act 1961 states that every face administrative or regulatory consequences for breach of
employer who does not comply with the provisions of the Act shall risk and compliance management obligations?
be punishable with imprisonment of up to three months, with a
Yes. See question 12.
fine of up to 500 rupees or with both.
• Section 22A of the Minimum Wages Act 1948 imposes a penalty on
16 Do members of governing bodies and senior management
every employer who contravenes any provision of this Act or any
face criminal liability for breach of risk and compliance
rule or order made thereunder with a fine of up to 500 rupees.
management obligations?
• Via its circular dated 15 June 2017, SEBI has imposed certain penal-
ties for non-compliance with certain provisions of the SEBI (Issue The Companies Act 2013 prescribes punishments for offences commit-
of Capital and Disclosure Requirements) Regulations 2009, which ted by companies under the Act. Liability for an offence leads to con-
includes inter alia a penalty of 20,000 rupees a day for delay in viction or punishment by way of imprisonment or fine or both, and the
completion of bonus issue, until the date of actual compliance. punishment is inflicted on the company, the directors and other offic-
• Section 43A of the Competition Act 2002 imposes penalties on any ers of the company who were accused and found guilty of the offence
person or enterprise who fails to give notice to the commission by a court.
with respect to forming a combination. The penalty imposed may In most cases, the persons liable for the offences are ‘officers who
extend to one per cent of either the total turnover or the assets, are in default’ and the said term is defined exhaustively under the Act.
whichever is the higher amount. For the purpose of any provision under that Act, an ‘officer of the com-
pany’ means any of the following:
12 Do undertakings face administrative or regulatory • a whole-time director;
consequences for risk and compliance management • key managerial personnel, who include:
deficiencies? • a managing director, or chief executive officer or manager
and, in their absence, a whole-time director;
Yes, undertakings do face administrative and regulatory consequences
• the company secretary; and
for risk and compliance management deficiencies.
• the chief financial officer (CFO);
For example, under the Aircraft Rules 1937, powers have been
• where there are no key managerial personnel, such director or
conferred on the central government and the Director General of
directors as are specified by the board on its behalf who have given
Civil Aviation (DGCA) to grant various licences, permits, certificates,
their consent in writing to the board to such specification, or all of
approvals, etc. At the same time, these rules empower them to suspend,
the directors if no director is so specified;
cancel, withdraw or modify them, if the document holder contravenes
www.gettingthedealthrough.com 33
© Law Business Research 2018
INDIA ALMT Legal
For example, the DPE requires Central Public Sector enterprises is not mandatory at present, clause 49 II(D) requires an audit com-
to submit quarterly progress reports with regard to compliance of cor- mittee to review procedures for the receipt, retention and treatment
porate governance guidelines. Further, the guidelines also require the of complaints (including confidential and anonymous submissions by
Administrative Ministries to consolidate the information received from employees) received regarding accounting, internal accounting con-
such enterprises and submit a comprehensive report on the status of trols or auditing matters, providing for adequate safeguards against
compliance of corporate governance guidelines to the DPE. victimisation of employees who avail of the mechanism and also
In addition to the above, the DPE also provides for certain other provide for direct access to the chairman of the audit committee in
policies to regulate risk and compliance management that include but exceptional cases. The stock exchanges’ corporate governance listing
are not limited to personnel policies, vigilance policies, financial poli- standards require listed companies to incorporate the code of ethics for
cies, corporate social responsibility, etc. directors and senior management and public disclosure of the code on
the company’s website. The guidelines changed focus away from com-
20 What are the key statutory and regulatory differences pliance toward a broader assessment of corporate efforts to create an
between public sector and private sector risk and compliance ethical and organisational culture.
management obligations? Schedule IV, read with section 149(8) of the Companies Act 2013,
The introduction of the Companies Act 2013 has imposed certain lays down the code for professional conduct for independent direc-
additional compliance requirements mandated for private companies tors. The duties of an independent director elaborated in Part III of
that, until then, were mandated only for public companies and private Schedule IV include ascertaining and ensuring that the company has
companies that are subsidiaries of public companies. These include the an adequate and functional vigil mechanism and that the interests of
following: the persons using it are not harmed. The independent directors are also
• appointment of director to be voted individually; entrusted with the task of reporting concerns over unethical behav-
• option to adopt principle of proportional representation for iour, actual or suspected fraud or violation of the company’s code of
appointment of directors; and conduct or ethics policy. Such changes made by the Act with regard to
• the provisions pertaining to the ineligibility for appointment of governance, transparency, disclosures, the position of the serious fraud
director are also extended to cover appointment or reappointment investigation office, etc, under section 211 of the Companies Act 2013 is
of a director in a private limited company. expected to make companies shift from being complacent to playing
compliant roles.
Certain provisions of clause 49 of the Listing Agreement are very spe- In particular, the amended guidelines require boards of directors
cific with regard to risk and compliance management obligations for and executives to assume responsibility for the oversight and manage-
public companies. Clause 49 I(D) of the Listing Agreement with the ment of ethics and compliance programmes. The provisions will help in
stock exchanges requires companies to institute a code of ethics for the developing a valuable framework for the design of effective ethics and
board and senior management and affirm compliance to the same on compliance programmes.
an annual basis. Although institution of the whistle-blower mechanism
Online
www.gettingthedealthrough.com
ISBN 978-1-78915-067-4